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NATIONAL RECORDS OF SCOTLAND 

NATIONAL RECORDS OF SCOTLAND TERMS AND CONDITIONS 3 (NRSTC3) 
CONDITIONS OF CONTRACT FOR CONSULTANCY SERVICES (other than Works 
Consultancies) 


These Conditions may only be varied with the written agreement of the Client. 
No terms or conditions put forward at any time by the Consultant shall form any 
part of the Contract unless specifically agreed in writing by the Client. 
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1. DEFINITIONS 


In these Conditions: 


“Contract” means the contract between the Client and the Consultant 
consisting of the Purchase Order, these Conditions and any other documents 
(or parts thereof) specified in the Purchase Order; 


“Client” means the Registrar General of Births, Deaths and Marriages for 
Scotland; 


“Consultant” means the person, firm or company to whom the Contract 

is issued; 

“Data Controller’, “Data Processor”, “Data Subject” and “Data Subject Access 
Request” have the meanings given in the Data Protection Laws; 


“Data Protection Laws” means any Law, statute, subordinate legislation 
regulation, order, mandatory guidance or code of practice, judgment of a 
relevant court of Law, or directives or requirements of any regulatory body 
which relates to the protection of individuals with regard to the processing of 
Personal Data to which a Party is subject including the Data Protection Act 
2018 and any statutory modification or re-enactment thereof and the UK GDPR; 


‘Good Industry Practice’ means standards, practices, methods and procedures 
conforming to legal and regulatory requirements and the degree of skill and 
care, diligence, prudence and foresight which would reasonably and ordinarily 
be expected from a skilled and experienced person or body engaged in a similar 
type of undertaking as the Consultant under the same or similar circumstances. 


“Information Commissioner” means the Commissioner as set out in Part 5 of the 
Data Protection Act 2018. 


“Intellectual Property Rights” means all copyright, patent, trademark, design right, 
database right and any other right in the nature of intellectual property whether or 
not registered, in any materials or works in whatever form (including but not limited 
to any materials stored in or made available by means of an information technology 
system andthe computer software relating thereto) which are created, produced or 
developed in connection with this Contract by or on behalf of the Consultant; 


“Law” means: 

(a) any applicable statute or proclamation or any delegate or subordinate 
legislation; 

(b) any enforceable right forming part of retained EU Law within the meaning of 
the European Union (Withdrawal) Act 2018; 

(c) any applicable guidance, direction, determination, or regulations with which 
the Client and/or the Consultant is bound to comply; 

(d) any applicable judgment of a relevant court of Law which is a binding 
precedent in Scotland; and 

(e) and requirements of any regulatory body; 


in each case in force during the period of the Contract in Scotland. 
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2. 


2.1 


2.2 


2.3 


3.1 


“Personal Data” has the meaning given in the Data Protection Laws; 


“Premises” means the location where the Project is to be performed, 
as specified in the Purchase Order; 


“Processing” has the meaning given in the Data Protection Laws and 
cognate expressions shall be construed accordingly; 


“Project” means the services to be provided as specified in the 
Purchase Order; 


“Purchase Order” means the document setting out the Client’s requirements 
for the Contract; 


“Schedule” means a schedule annexed to and forming part of these 
conditions; 


“Third country” means a country or territory outside the United Kingdom; and 


“UK GDPR’” means Regulation (EU) 2016/679 of the European Parliament and of 
the Council of 27th April 2016 on the protection of natural persons with regard to 
the processing of Personal Data and on the free movement of such data (General 
Data Protection Regulation) as it forms part of the Law of England and Wales, 
Scotland and Northern Ireland by virtue of section 3 of the European Union 
(Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and 
Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. 


THE PROJECT 


The Consultant shall complete the Project with reasonable skill, care and 
diligence in accordance with the Contract. 


The Consultant shall provide the Client with such reports of his work on the 
Project at such intervals in such form as the Client may from time to time 
require. 


The Client reserves the right by notice to the Consultant to modify the Client’s 
requirements in relation to the Project and any alteration to the Contract fee or 
the completion date arising by reason of such modification shall be agreed 
between the parties. Failing agreement the matter shall be determined by 
arbitration in accordance with the provisions of Condition 21 (Dispute 
Resolution). 


CONSULTANT’S PERSONNEL 


The Consultant shall make available for the purposes of the Project any 
individuals named on the Purchase Order as key personnel. The Consultant 
shall provide the Client with a list of the names and addresses of all others 
regarded by the Consultant as key personnel and, if and when instructed by 
the Client, all other persons who may at any time concerned with the Project 
or any part of it, specifying in each case the capacities in which they are so 
concerned and giving such other particulars and evidence of identity and other 
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3.2 


3.3 


3.4 


4.1 


4.2 


4.3 


4.4 


4.5 


4.5 In 


supporting evidence as the Client may reasonably require. The Client may at 
any time by notice to the Consultant designate any person concerned with the 
Project or any part of it as a key person. The Consultant shall not without the 
prior written approval of the Client make any changes in the key personnel 
referred to in this paragraph. 


The Consultant shall take the steps reasonably required by the Client, to 
prevent unauthorised persons being admitted to the Premises. If the Client 
gives the Consultant notice that any person is not to be admitted to or is to be 
removed from the Premises or is not to become involved in or is to be removed 
from involvement in the Project, the Consultant shall take all reasonable steps 
to comply with such notice. 


The decision of the Client shall be final and conclusive as to whether any 
person is to be admitted to or is to be removed from the Premises or is not to 
become involved in or is to be removed from involvement in the Project or as 
to the designation or approval of key personnel and as to whether the 
Consultant has furnished the information or taken the steps required of the 
Consultant by this Condition. 


The Consultant shall bear the cost of any notice, instruction or decision of 
the Client under this Condition. 


SECURITY AND ACCESS TO THE CLIENT’S PREMISES 


Any access to, or occupation of, the Client’s premises which the Client may 
grant the Consultant from time to time is on a non-exclusive licence basis free 
of charge. The Consultant must use the Client’s premises solely for the purpose 
of performing its obligations under the Contract and must limit access to the 
Clients premises to such individuals as are necessary for that purpose. 


The Consultant must comply with the Client’s policies concerning Baseline 
Personnel Security Standard checks and such modifications to those policies 
or replacement policies as are notified to the Consultant from time to time. 


The Consultant must notify the Client of any matter or other change in 
circumstances which might adversely affect future Baseline Personnel Security 
Standard clearance. 


At the Client’s written request, the Consultant must provide a list of the names 
and addresses of all persons who may require admission to the Client's 
premises in connection with the Contract, specifying the capacities in which 
they are concerned with the Contract and giving such other particulars as the 
Client may reasonably request. 


The Consultant must ensure that any individual Consultant Representative 
entering the Client’s premises has completed the process for obtaining Baseline 
Personnel Security Standard clearance. The Consultant acknowledges that the 
Client has the right to deny entry to any individual that has not completed the 
process for obtaining Baseline Personnel Security Standard clearance. 


accordance with the Client’s policies concerning visitor access, entry to the 
Client’s premises may be granted to individual Consultant Representatives for 
the purposes of meetings, notwithstanding that the process for obtaining 
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4.7 


4.8 


4.9 
4.10 


4.11 


Baseline Personnel Security Standard clearance has not commenced or 
completed. 


The Client may, by notice to the Consultant, refuse to admit onto, or withdraw 
permission to remain on, the Clients premises any Consultant Representative 
whose admission or continued presence would, in the opinion of the Client 
acting reasonably, be undesirable. 


The Client must provide advice and assistance acting reasonably to the 
Consultant to facilitate the Consultant’s compliance with this Condition. 


All decisions of the Client under this Condition are final and conclusive. 


Breach of this Condition 4 by the Consultant is a material breach for the 
purposes of Condition 14.2 (Termination). 


If cyber security requirements apply to this Contract: 


4.11.1then these are set out in a Schedule Part 2 (Cyber Security Requirements) to 


this Contract; and 


4.11.2in that case the Consultant shall comply with the provisions of Schedule Part 


2 (Cyber Security Requirements) 


4.11.3.and this Condition 4.11 shall not apply where the Contract does not include a 


Schedule Part 2 (Cyber Security Requirements). 


“Baseline Personnel Security Standard” means the pre-employment controls for all 


civil servants, members of the Armed Forces, temporary staff and 
government contractors generally; 


“Consultant Representatives” means all persons engaged by the Consultant in the 


5.1 


5.2 


performance of its obligations under the Contract including: 


its employees and workers (including persons employed by a third party but 
working for and under the control of the Consultant); 


its agents, Consultants and carriers; and 


any sub-contractors of the Consultant (whether approved under Condition 17 
(Assignation and sub-contracting) or otherwise). 


CHANGE TO CONTRACT REQUIREMENTS 


The Client may order any variation to any part of the Contract that for any 
other reason shall in the Client’s opinion be desirable. Any such variation may 
include (but shall not be restricted to) additions, omissions, alterations, 
substitutions to the Project and changes in quality, form, character, kind, 
timing, method or sequence of the Project. 


Save as otherwise provided herein, no variation of the Project as provided for 
in Condition 5.1 hereof shall be valid unless given or confirmed in the form of 
an order given by the Client. All such orders shall be given in writing provided 
that if for any reason the Client shall find it necessary to give any such order 
orally in the first instance the Contractor shall comply with such oral order 
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which mustbe confirmed in writing by the Client within 2 working days of the 
giving of such oral order by the Client, failing which the variation made by such 
oral order shall cease to have effect on the expiry of the said 2 working day 
period. 


5.3 Where any such variation of the Project made in accordance with 
Conditions 5.1 and 5.2 has affected or may affect the costs incurred by the 
Consultant in providing the Project services, the Consultant will notify the 
Client in writing of the effect which it has had or may have on the said costs and 
such notification shall be considered by the Client, who shall take all of the 
facts into account (including such information as may be provided by the 
Consultant in respect of the effect which such variation has had or may have 
on the costs incurred by the Consultant in providing the service) and may 
authorise such alteration to the sums to be paid to the Consultant in 
accordance with the provisions of the Contract as are, in the Client’s opinion, 
appropriate and reasonable inthe circumstances. 


6. FEES AND EXPENSES 


6.1 The Client shall pay to the Consultant fees and expenses at the rate specified 
in the Purchase Order. 


6.2 The Consultant shall be entitled to be reimbursed by the Client only for 
expenses reasonably and properly incurred by the Consultant in the 
performance of the duties hereunder, subject to production of such evidence 
thereof as the Client may reasonably require. 


6.3.1 Unless otherwise stated in the Contract, payment will be made within 30 days 
of receipt and agreement of invoices, submitted monthly in arrears, for work 
completed to the satisfaction of the Client. 


6.3.2 In this Condition 6, ‘invoice’ includes an electronic invoice meeting all the 
requirements set out in regulation 70A of the Public Contracts (Scotland) 
Regulations 2015 or regulation 44A of the Concession Contracts (Scotland) 
Regulations 2016. 


6.4 Value Added Tax, where applicable, shall be shown separately on all invoices 
as a strictly net extra charge. 


6.5 Notwithstanding Condition 17 (Assignation and sub-contracting) of this 
Contract the Consultant may assign to another person (an “assignee”) the 
right to receive payment of the fees or expenses or any part thereof due to the 
Consultant under this Contract subject to (i) deduction of sums in respect of 
which the Client exercises its right of recovery under Condition 16 (Recovery 
of sums due) of this Contract and (ii) all the related rights of the Client under 
this Contract in relation to the recovery of sums due but unpaid. The 
Consultant shall notify or procure that any assignee notifies the Client of any 
variations to the arrangements for payment of the fees and expenses or for 
handling invoices, in each case in good time to enable the Client to redirect 
payments or invoices accordingly. In the absence of such notification the 
Client shall be under no obligation to vary the Clients arrangements for 
payment of the fees or expenses or for handling invoices. 
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7. AUDIT 


The Consultant shall keep and maintain until 5 years after the Contract has been 
completed records to the satisfaction of the Client of all expenditures which are 
reimbursable by the Client and of the hours worked and costs incurred by the 
Consultant or in connection with any employees of the Consultant paid for by the 
Client on a time charge basis. The Consultant shall on request afford the Client or 
the Client’s representatives such access to those records as may be required by the 
Client in connection with the Contract. 


8. CORRUPT GIFTS OR PAYMENTS 


The Consultant shall not offer or give or agree to give, to any member, employee or 
representative of the Client any gift or consideration of any kind as an inducement or 
reward for doing or refraining from doing, or for having done or refrained from doing, 
any actin relation to the obtaining or execution of this or any other contract with the 
Client or for showing or refraining from showing favour or disfavour to any person in 
relation to this or any such Contract. The attention of the Consultant is drawn to the 

criminal offences created by the Bribery Act 2010. 


9. INTELLECTUAL PROPERTY RIGHTS 


9.1 All Intellectual Property Rights in any material including but not limited to 
reports, guidance, specification, instructions, toolkits, plans, data, drawings, 
databases, patents, patterns, models, designs which are created or developed 
by the Consultant on behalf of the Client for use, or intended use, in relation 
to the performance by the Consultant of its obligations under the Contract are 
hereby assigned to and shall vest in the Crown absolutely. 


9.2 Except as may expressly be provided for in the Contract, neither party acquires 
any interest in or license to use the other party’s Intellectual Property Rights 
owned or developed prior to or independently of the Contract. 


9.3. The Consultant must not infringe any Intellectual Property Rights of any third 
party in carrying out the Project or otherwise performing its obligations under 
the Contract. The Consultant shall indemnify the Client against all actions, 
claims, demands, losses, charges, costs and expenses which the Client may 
suffer or incur as a result of or in connection with any breach of this Condition 
9.3. 


9.4 The provisions of this Condition 9 shall apply during the continuance of this 
Contract and after its termination howsoever arising. 


10. INDEMNITIES AND INSURANCE 


10.1 The Consultant shall indemnify and keep indemnified the Client, the Crown, its 
servants and agents against all actions, claims, demands, costs and expenses 
incurred by or made against the Client or the Crown, its servants or agents in 
respect of any loss or damage or personal injury (including death) which arises 
from any advice given or anything done or omitted to be done under this 
Contract to the extent that such loss, damage or injury is caused by the 
negligence or other wrongful act of the Consultant, or the Consultant’s 
servants or agents. 
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10.2 The Client shall indemnify the Consultant in respect of all claims, proceedings, 
actions, damages, fines, costs, expenses or other liabilities which may arise 
out of, orin consequence of, a breach of the Data Protection Laws where 
the breach is the direct result of the Consultant acting in accordance with the 
Client’s specific written instructions. This indemnity provision shall not apply if 
the Consultant- 


(a) acts on the Client’s specific written instructions but fails to notify the 
Client in accordance with Condition 24.11(c) (Data Protection) of this 
Contract; 


(b) fails to comply with any other obligation under the Contract. 


10.3 The Consultant (if an individual) represents that the Consultant is 
regarded by both the Inland Revenue and the Department of Social Security 
as self-employed and accordingly shall indemnify the Client against any tax, 
national insurance contributions or similar impost for which the Client may be 
liable in respect of the Consultant by reason of this Contract. 


10.4 The Consultant shall effect with an insurance company or companies 
acceptable to the Client a policy or policies of insurance covering all the 
matters which are the subject of the indemnities and undertakings on the part 
of the Consultant contained in this Contract in the sum of £1 million at least in 
respect of any one incident and unlimited in total, unless otherwise agreed by 
the Client in writing. 


10.5 If requested, by the Client the Consultant shall produce to the Client the 
relevant policy or policies together with receipts or other evidence of payment 
of premiums, including the latest premium due thereunder. 


11. DISCRIMINATION 


The Consultant must not unlawfully discriminate against any person within the 
meaning of the Equality Act 2010 in its activities relating to the Contract or any other 
contract with the Client. 


12. BLACKLISTING 


The Consultant must not commit any breach of the Employment Relations Act 1999 
(Blacklists) Regulations 2010 or section 137 of the Trade Union and Labour Relations 
(Consolidation) Act 1992, or commit any breach of the Data Protection Laws by 
unlawfully processing Personal Data in connection with any blacklisting activities. 
Breach of this Condition is a material default which shall entitle the Client to terminate 
the Contract. 


13. OFFICIAL SECRETS ACTS, CONFIDENTIALITY AND ACCESS TO 
GOVERNMENT INFORMATION 


13.1 The Consultant undertakes to abide and procure that the Consultant’s 
employees abide by the provisions of The Official Secrets Acts 1911 to 1989. 


13.2 The Consultant shall keep secret and not disclose and shall procure that the 


Consultant's employees keep secret and do not disclose any information of a 
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13.3 


13.4 


13.5 


14. 


14.1 


confidential nature obtained by the Consultant by reason of this Contract 
except information which is in the public domain otherwise than by reason of 
a breach of this provision. 


All information related to the Contract with the Consultant will be treated as 
commercial in confidence by the parties except that: 


(a) | The Consultant may disclose any information as required by Law or 
judicial order to be disclosed. 


(b) The Client may disclose any information as required by Law or 
judicial order to be disclosed. Further, the Client may disclose all 
information obtained by the Client by virtue of the Contract to the Scottish 
or United Kingdom Parliament or any other department, office or agency 
of Her Majesty’s Government in Scotland or the United Kingdom, and 
their servants or agents, when disclosing such information to either the 
Scottish Parliament or the United Kingdom Parliament. It is recognised 
and agreed by both parties that the Client shall, if the Client sees fit, 
disclose such information but is unable to impose any restrictions upon 
the information that the Client provides to Members of the Scottish 
Parliament, (MSPs) or Members of the United Kingdom Parliament 
(MPs). Such disclosure shall not be treated as a breach of this Contract. 


The provisions of this Condition 13 shall apply during the continuance of this 
Contract and after its termination howsoever arising. 


The Parties acknowledge that, except for any Information which is exempt 
from disclosure in accordance with the provisions of the FOISA, the content 
of the Contract is not confidential information and the Consultant hereby gives 
its consent for the Client to publish the Contract in its entirety to the general 
public (but with any Information that is exempt from disclosure in accordance 
with the FOISA redacted) including any changes to the Contract agreed from 
time to time. 


TERMINATION 


The Consultant shall notify the Client in writing immediately upon the 
occurrence of any of the following events: 


(a) | where the Consultant is an individual and if a petition is presented for 
the Consultant's bankruptcy or the sequestration of the Consultants 
estate or a criminal bankruptcy order is made against the Consultant, 
or the Consultant makes any composition or arrangement with or for 
the benefit of creditors, or makes any conveyance or assignation for 
the benefit of creditors, or if an administrator or trustee is appointed to 
manage the Consultant's affairs; or 


(b) | where the Consultant is not an individual but is a firm, or a number of 
persons acting together in any capacity, if any event in (a) or (c) of this 
Condition occurs in respect of any partner in the firm or any of those 
persons or a petition is presented for the Consultant to be wound up as 
an unregistered company; or 


(c) | where the Consultant is a company, if the company passes a resolution 
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for winding-up or the court makes an administration order or a winding- 
up order, or the company makes a composition or arrangement with its 
creditors, or an administrator, administrative receiver, receiver or 
manager is appointed by a creditor or by the court, or possession is 
taken of any of its property under the terms of a floating charge. 


14.2 On the occurrence of any of the events described in Condition 14.1, or if the 
Consultant shall have committed a material breach of this contract and (if such 
breach is capable of remedy) shall have failed to remedy such breach within 
7 days of being required by the Client in writing to do so, or, where the 
Consultant is an individual, if the Consultant shall die or be adjudged 
incapable of managing his or her affairs within the meaning of the Adults with 
Incapacity (Scotland) Act 2000 or the Mental Health (Care and Treatment) 
(Scotland) Act 2003, the Client shall be entitled to terminate this Contract by 
notice to the Consultant with immediate effect. 


14.3 The Client may terminate the Contract in the event that: 


(a) | the Contract has been subject to substantial modification which would 
have required a new procurement procedure in accordance with 
regulation 72(9) (modification of contracts during their term) of The 
Public Contracts (Scotland) Regulations 2015; 


(b) the Consultant has, at the time of contract award, been in one of the 
situations referred to in regulation 58(1) (exclusion grounds) of The 
Public Contracts (Scotland) Regulations 2015, including as a result of 
the application of regulation 58(2) of those regulations, and should 
therefore have been excluded from the procurement procedure. 


14.4 The Client may also terminate the Contract in the event of a failure by the 
Consultant to comply in the performance of the Contract with legal obligations 
in the fields of environmental, social and employment Law. 


14.5 The Client shall be entitled to terminate this Contract by giving to the 
Consultant not less than 7 days’ notice to that effect. In the event of such 
termination, the Consultant shall, if required to do so by the Client, prepare 
and submit to the Client a report on the work done prior to the termination and 
making such recommendations as may be based on the work done prior to 
termination. 


14.6 Termination shall not prejudice or affect any right of action or remedy which 
shall have accrued or shall thereupon accrue to the Client and shall not affect 
the continued operation of Conditions 7 (Audit), 9 (Intellectual Property Rights) 
13 (Official Secrets Acts, etc.) and 24 (Data Protection). 


15. RETURN OF DOCUMENTS 


15.1 The Consultant will return to the Client promptly upon the termination of the 
Contract any document, paper, material or information supplied by or obtained 
from the Client or any Government Department in connection with the 
Contract, or extracted from such documents, papers, materials or information. 


15.2 If the Contract has been terminated pursuant to Condition 14.5, the 
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16. 


Consultant may retain any documents papers, materials or information which 
shall be required by the Consultant to prepare any report required under that 
paragraph. Promptly upon submission of the report to the Client, the Consultant 
will return any documents, papers, materials or information which the 
Consultant may have retained in terms of this paragraph. 


RECOVERY OF SUMS DUE 


Wherever under this Contract any sum of money is recoverable from or payable by 
the Consultant, that sum may be deducted from any sum then due or which at any 
later time may become due, to the Consultant under this Contract or under any other 
agreement or contract with the Client or with any department, agency or authority of 
the Crown. 


Ke 


17.1 


17.2 


17.3 


ASSIGNATION AND SUB-CONTRACTING 


The Consultant shall not assign or sub-contract any portion of the Contract 
without the prior written consent of the Client. Sub-contracting any part of the 
Contract shall not relieve the Consultant of any obligation or duty attributable 
to the Consultant under the Contract or these Conditions. 


Where the Client has consented to the placing of sub-contracts, copies of each 
sub-contract shall be sent by the Consultant to the Client immediately it is 
issued. 


Where the Consultant enters into a sub-contract must ensure that a provision 
is included which: 


17.3.1 requires payment to be made of all sums due by the Consultant to 
the sub-contractor within a specified period not exceeding 30 days 
from the receipt of a valid invoice as defined by the sub-contract 
requirements and provides that, where the Client has made 
payment to the Client in respect of the Project and the sub- 
contractor's invoice relates to such Project then, to that extent, the 
invoice must be treated as valid and, provided the Consultant is not 
exercising a right of retention or set-off in respect of a breach of 
contract by the sub-contractor or in respect of a sum otherwise due 
by the sub-contractor to the Consultant, payment must be made to 
the sub-contractor without deduction; 


17.3.2 notifies the sub-contractor that the sub-contract forms part of a 
larger contract for the benefit of the Client and that should the sub- 
contractor have any difficulty in securing the timely payment of an 
invoice, that matter may be referred by the sub-contractor to the 
Client; and 


17.3.3 inthe same terms as that set out in this Condition 17.3 (including for 
the avoidance of doubt this Condition 17.3.3) subject only to 
modification to refer to the correct designation of the equivalent 
party as the Consultant and sub-contractor as the case may be. 


17.4 The Consultant shall also include in every sub-contract: 


17.4.1 aright for the Consultant to terminate that sub-contract if the relevant 
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sub-contractor fails to comply in the performance of its contract with 
legal obligations in the fields of environmental, social or employment 
Law or if any of the termination events (involving substantial 
modification of the Contract, contract award despite the existence of 
exclusion grounds) specified in Condition 14.3 occur; and 


17.4.2 a requirement that the sub-contractor includes a provision having the 
same effect as 17.4.1 in any sub-contract which it awards. 


In this Condition 17.4, ‘sub-contract’ means a contract between two or more 
contractors, at any stage of remoteness from the Client in a sub-contracting 
chain, made wholly or substantially for the purpose of performing (or 
contributing to the performance of) the whole or any part of this Contract. 


18. NOTICES 


Any notice given under or pursuant to the Contract may be sent by hand or by post 
or by registered post or by the recorded delivery service or transmitted by telex, 
telemessage, facsimile transmission or other means of telecommunication resulting 
in the receipt of a written communication in permanent form and if so sent or 
transmitted to the address of the party shown on the Purchase Order, or to such other 
address as the party may by notice to the other have substituted therefor, shall be 
deemed effectively given on the day when in the ordinary course of the means of 
transmission it would first be received by the addressee in normal business hours. 


19. STATUS OF CONTRACT 


Nothing in the Contract shall have the effect of making the Consultant the servant of 
the Client or the Crown. 


20. COMPLIANCE WITH THE LAW ETC. 


In carrying out the Project and otherwise when performing the Contract, the Consultant 
must comply in all respects with: 


20.1 all applicable Law; 
20.2 any applicable requirements of regulatory bodies; and 


20.3 Good Industry Practice. 


21. DISPUTE RESOLUTION 


21.1 The parties must attempt in good faith to resolve any dispute between them 
arising out of or in connection with the Contract. 


21.2 Any dispute or difference arising out of or in connection with the Contract, 
including any question regarding its existence, validity or termination which 
cannot be resolved in good faith, shall be determined by the appointment of a 
single arbitrator to be agreed between the parties, and failing agreement 
within 14 days after either party has given to the other a written request to 
concur in the appointment of an arbitrator, by an arbitrator to be appointed by 
the Scottish Arbitration Centre on the written application of either party. The 
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seat of the arbitration shall be in Scotland. The language used in the arbitral 
proceedings shall be English. 


21.3 Any arbitration under 21.2 is subject to the Arbitration (Scotland) Act 2010. 


22. 


HEADINGS 


The headings to Conditions shall not affect their interpretation. 


23. 


GOVERNING LAW 


These Conditions shall be governed by and construed in accordance with Scots Law 
and the Consultant hereby irrevocably submits to the jurisdiction of the Scottish 
courts. The submission to such jurisdiction shall not (and shall not be construed so 
as to) limit the right of the Client to take proceedings against the Consultant in any 
other court of competent jurisdiction, nor shall the taking of proceedings in any one 
or more jurisdictions preclude the taking of proceedings in any other jurisdiction, 
whether concurrently or not. 


24. 


24.1 


24.2 


24.3 


24.4 


24.5 


DATA PROTECTION 


The Consultant acknowledges that any Personal Data described in the scope 
of Schedule Part 1 (Data Protection) will be Processed in connection with the 
Project under this Contract. For the purposes of any such Processing, Parties 
agree that the terms of this Condition 24 will apply where the Consultant acts 
as the Data Processor and the Client acts as the Data Controller. 


Both Parties agree to negotiate in good faith any such amendments to this 
Contract that may be required to ensure that both Parties meet all their 
obligations under the Data Protection Laws. The provisions of this Condition 24 
are without prejudice to any obligations and duties imposed directly on the 
Consultant under the Data Protection Laws and the Consultant hereby agrees 
to comply with those obligations and duties. 


The Consultant will, in conjunction with the Client and in its own right and in 
respect of the Project, make all necessary preparations to ensure it will be 
compliant with the Data Protection Laws. 


The Consultant will provide the Client with the contact details of its data 
protection officer or other designated individual with responsibility for data 
protection and privacy to act as the point of contact for the purpose of observing 
its obligations under the Data Protection Laws. 


The Consultant must: 


24.5.1 process Personal Data only as necessary in accordance 
with obligations under the Contract and any written instructions given by 
the Client (which may be specific or of a general nature), including 
with regard to transfers of Personal Data to a Third Country other than 
within the European Economic Area unless required to do so by 
European Union or domestic Law or Regulatory Body to which the 
Consultant is subject; in which case the Consultant must, unless 
prohibited by that Law, inform the Client of that legal requirement before 
processing the Personal Data only to the extent, and in such manner 
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24.6 


24.7 


as is necessary for the performance of the Consultant’s obligations 
under this Contract or as is required by the Law; 


24.5.2 subject to Condition 24.5.1 only process or otherwise transfer any 
Personal Data in or to a Third Country other than within the 
European Economic Area with the Client’s prior written consent; 


24.5.3 take all reasonable steps to ensure the reliability and integrity of any 
Consultant Personnel who have access to the Personal Data and 
ensure that the Consultant Personnel: 


(a) are aware of and comply with the Consultant’s duties under this 
Condition; 


(b) are subject to appropriate confidentiality undertakings with the 
Consultant or the relevant Sub-contractor; 


(c) are informed of the confidential nature of the Personal Data and 
do not publish, disclose or divulge any of the Personal Data to 
any third party unless directed in writing to do so by the Client or 
as otherwise permitted by this Contract; and 


(d) have undergone adequate training in the use, care, protection and 
handling of Personal Data. 


24.5.4 implement appropriate technical and organisational measures in 
accordance with Article 32 of the UK GDPR to protect Personal 
Data against unauthorised or unlawful Processing and against 
accidental loss, destruction, damage, alteration or disclosure, such 
measures being appropriate to the harm which might result from any 
unauthorised or unlawful Processing accidental loss, destruction or 
damage to the Personal Data and having regard to the nature of the 
Personal Data which is to be protected. 


The Consultant shall not engage a sub-contractor to carry out Processing in 
connection with the Project without prior specific or general written authorisation 
from the Client. In the case of general written authorisation, the Consultant must 
inform the Client of any intended changes concerning the addition or 
replacement of any other sub-contractor and give the Client an opportunity to 
object to such changes. 


If the Consultant engages a sub-contractor for carrying out Processing activities 
on behalf of the Client, the Consultant must ensure that same data protection 
obligations as set out in this Contract are imposed on the sub-contractor by way 
of a written and legally binding contract, in particular providing sufficient 
guarantees to implement appropriate technical and organisational measures. 
The Consultant shall remain fully liable to the Client for the performance of the 
sub-contractor’s performance of the obligations. 


NRSTC3 V1.0 2021 14 
NRS Procurement 


24.8 The Consultant must provide to the Client reasonable assistance including by 
such technical and organisational measures as may be appropriate in complying with 
Articles 12-23 of the UK GDPR. The Consultant must notify the Client if it: 


(a) receives a Data Subject Access Request (or purported Data Subject 
Access Request); 


(b) receives a request to rectify, block or erase any Personal Data; 


(c) receives any other request, complaint or communication relating to either 


Party's 


obligations under the Data Protection Laws; 


(d) receives any communication from the Information Commissioner or any 
other regulatory authority in connection with Personal Data processed 
under this Contract; or 


(e) receives a request from any third Party for disclosure of Personal Data 


where 


compliance with such request is required or purported to be required by 


Law or regulatory order; 


and such notification must take place as soon as is possible but in any event 
within 3 business days of receipt of the request or any other period as agreed 
in writing with the Client from time to time. 


24.9 Taking 
the Co 


into account the nature of the Processing and the information available, 
nsultant must assist the Client in complying with the Client’s obligations 


concerning the security of Personal Data, reporting requirements for data 
breaches, data protection impact assessments and prior consultations in 
accordance with Articles 32 to 36 of the UK GDPR. These obligations include: 


(a) 


(e) 


24.10 At the 


ensuring an appropriate level of protection through technical and 
organisational measures that take into account the circumstances and 
purposes of the processing as well as the projected probability and 
severity of a possible infringement of the Law as a result of security 
vulnerabilities and that enable an immediate detection of relevant 
infringement events. 


notifying a Personal Data breach to the Client without undue delay and 
in any event no later than 24 hours after becoming aware of a Personal 
Data breach; 


assisting the Client with communication of a Personal Data breach to a 
Data Subject; 


supporting the Client with preparation of a data protection impact 
assessment; 


supporting the Client with regard to prior consultation of the Information 
Commissioner. 


end of the Contract in relation to any processing carried out by the 


Consultant in respect of the Project, the Consultant must, on written instruction 
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of the Client, delete or return to the Client all Personal Data and delete existing 
copies unless EU or domestic Law requires storage of the Personal Data. 


24.11 The Consultant must: 


(a) provide such information as is necessary to enable the Client to satisfy 
itself of the Consultant's compliance with this Condition 24; 


(b) allow the Client, its employees, auditors, authorised agents or advisers 
reasonable access to any relevant premises, during normal business 
hours, to inspect the procedures, measures and records referred to in 
this Condition 24 and contribute as is reasonable to those audits and 
inspections; 


(c) inform the Client if, in its opinion, an instruction from the Client infringes 
any obligation under the Data Protection Laws. 


24.12 The Consultant must maintain written records including in electronic form, of all 
Processing activities carried out in performance of the Contract or otherwise on 
behalf of the Client containing the information set out in Article 30(2) of the 
UK GDPR. 


24.13 If requested, the Consultant must make such records referred to Condition 
24.12 available to the Information Commissioner on request and co-operate with 
the Information Commissioner in the performance of its tasks. 


24.14 Parties acknowledge that the inspecting party will use reasonable endeavours 
to carry out any audit or inspection under Condition 24.13 with minimum 
disruption to the Consultant's day to day business. 
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SUPPLEMENTARY NOTICE 
LATE PAYMENT OF INVOICES 


Consultants to the National Records of Scotland are requested to address 
complaints regarding late payment of invoices to, in the first instance, the 
addressee of the invoice and, in the second instance to the Chief 


Purchasing/Procurement Officer, Ladywell House, Ladywell Road, 
Edinburgh, EH12 7TF. This procedure is suggested as the best practical 
way of ensuring problems of late payment are resolved, and is not 
intended to interfere with Consultants’ legal rights. 


THIS NOTICE DOES NOT FORM PART OF THE CONDITIONS OF 
CONTRACT 





SCHEDULES 


The following two schedules may be required to form part of the contract. 


PART 1 DATA PROTECTION 
PART 2 CYBER SECURITY REQUIREMENTS 


Where either, or both, of these schedules are required it will be clearly stated by the 
Purchaser in the tender documents: 
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This is the Schedule referred to in the foregoing Conditions of Contract for the Purchase 
of Consultancy Services (Other than Works Consultancies) between [CLIENT NAME] and 


SCHEDULE 
PART 1 
DATA PROTECTION 


il 
ih 


The obligations and rights of the Client as the Data Controller are set out in Condition 24 of the 
Contract. 
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This is the Schedule referred to in the foregoing Conditions of Contract for the Purchase 
of Consultancy Services (Other than Works Consultancies) between [CLIENT NAME] and 


SCHEDULE PART 2 
CYBER SECURITY REQUIREMENTS 


Drafting notes: 


e Please note that this Schedule Part 2 including the Annex are optional. The Client may choose to incorporate these in the 


Contract at its discretion. 
Text in red requiresto be amended/updated by the Client to reflect the specific circumstances of the Contract. 





1. DEFINITIONS 
1.1. The defined terms used in this Schedule Part 2 shall have the following meanings: 


[“Cyber Implementation Plan” means the cyber implementation plan set out in Section B 
(Cyber Implementation Plan)] of the Annex to Schedule Part 2 (Cyber Security 
Requirements);] 


included. Otherwise it may be removed. 





“Cyber Security Incident” means anything, event, act or omission which gives, or may 
give, rise to: 


(i) unauthorised access to any informationsystem, data or electronic communications 
network (including breach of an applicable security policy); 

(ii) reduced integrity of an information system, data or electronic communications 
network; 

(iii) unauthorised use of any information system or electronic communications network 
for the processing (including storing) of data; 

(iv) disruption or change of the operation (including, but not limited to, takeover of 
control, malicious disruption and/or denial of service) of an information system or 
electronic communications network; 

(v) unauthorised changes to firmware, software or hardware; 

(vi) unauthorised destruction, damage, deletion or alteration of data residing in an 
information system or electronic communications network; 

(vii) | removal or limiting the availability of, or possibility to use, data residing in an 
information system or electronic communications network; 

(viii) the appropriation, publication, dissemination or any other use of data by persons 
unauthorised to do so; or 

(ix) a breach of the Computer Misuse Act 1990, the Network and Information Sy stems 
Regulations 2018, the Data Protection Laws, the Privacy and Electronic Communications 
(EC Directive) Regulations 2003, the Communications Act 2003, the Official Secrets Act 
1911 to 1989, or any other applicable legal requirements in connection with cybersecurity 
and/or privacy 


in connection with the Goods and/or the Contract; 


Drafting note: Please note that the Privacy and Electronic Communications (EC Directive) Regulations 2003 are planned to be 





replaced with new legislationin the future. 


“Cyber Security Requirements” means the Client’s requirements in connection with cyber 
security as set out in Section A (Cyber Security Requirements [and Section B ( Cyber 
Implementation Plan)| of the Annex to this Schedule Part 2 (Cyber Security Requirements), [the 
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Purchase Order, paragraph[ ] ofthe tender documentation and [ ] of the Contract] ; 


Drafting note: 
° The Client should amendthe above definition asappropriate. 
o Reference to Cyber Implementation Plan may not be required where a Cyber Implementation Plan will not be 
incorporated intothe contract. 


o If the Purchase Order, the Contract or tender documentation include any additional requirements relevant to cyber 
security, the Client may wish to reference these here. The Client may wish to refer to specific paragraphswithin the 
Purchase Order and/or the tender documentation and/or other part of the Contract. 





2. CYBER SECURITY REQUIREMENTS 
2.1 The Consultant shall comply with the Cyber Security Requirements and shall implement and 
maintain all security measures: 
(a) as may be required under applicable Laws (including but not limited to the 
Network and Information Systems Regulations 2018); 


(b) to enable it to discharge its obligations under this Schedule Part 2 (Cyber 
Security Requirements); and 


(c) to ensure there are no Cyber Security Incidents 
in all cases to the Client’s reasonable satisfaction and in accordance with Good Industry Practice. 


2.2 The Consultant shall notify the Client immediately it knows or believes that a Cyber Security 
Incident has or may have taken place and shall provide full details of the incident and any 
mitigation measures already taken and intended to be taken by it and (where applicable) any 
mitigation measures recommended by it to be taken by the Client. 


2.3 If the Consultant fails to comply with the provisions of paragraphs 2.1 and/or 2.2, the Client 
may take any action it considers appropriate or necessary (and the Consultant shall comply 
with the Client’s requests in this respect). 
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ANNEX 


Drafting note: This Annex isnotrequired where Schedule Part 2 isnotincorporated into the Contract, atthe Clientssole option. 





The cyber security requirements applicable to the Contract are set out in this Annex to Schedule 
Part 2. Section A (Cyber Security Requirements) includes the Client’s requirements in connection 
with cyber security [and Section B (Cyber Implementation Plan) sets out further details on how 
the Consultant will meet such requirements]. 


Drafting note: The Clientshould retainthe reference to SectionB above if: 

e the Scottish Cyber Assessment Service (SCAS) tool hasbeen used in connection withthe contract; and 

e the Consultant and the Clienthave agreed a Cyber Implementation Plan in conjunction with the SAQ report generated by the 
SCAS tool 





Section A: Cyber Security Requirements 


Overview of requirements: 


[Cyber risk profile] 


[Additional questions for [Cloud security] 

management of specific cyber [Personal data security] 

risks covering:] [Governance] 

[Etc.] 

[Cyber Essentials or equivalent] 
[Cyber Essentials Plus or equivalent] 
[IASME Gold or equivalent] 
[ISO27001 or equivalent] 


[Supporting evidence required] [Insert details of any supporting evidence required] 


[Client’s risk management [Strict pass/fail] 
approach] 


[Cyber Implementation Plans accepted] 
Drafting note: If the SCAS tool isused, insert information inthe above table that summ arisesthe Client’scyber security 
requirements. Cyber security requirements set out in this Schedule Part 2 and the Annex should not deviate from the 
requirementsset out in any part of the tender documentation. An exampleisprovided above. The Client should checkand 
amend fieldsand entriesto fit itscontract. 


[Certification requested for 
assurance purposes] 





The Consultant shall meet the following requirements: 


Drafting note: If the SCAS tool isused, the Client’srequirements from SCAS require to be incorporated into the contract. Two 

optionsto achieve thisinclude the following: 

° OPTION 1: Either cut and paste or append the full “SAQ Responses’ section of the Consultant’s SAQ Report, which sets out 
all questions asked of bidding Consultantsin the SCAS SAQ (i.e. the Client’s requirements), and the Consultants responses. 
Please also include details of subsequent clarificationswith the Consultant, if applicable. 

OPTION 2: provide the following information (asset out in the table below) from the SCAS tool. 


The Client should choose the option appropriate to the contract, Option 1 being preferable from the point of view of clarity. In 
case of Option 2, the Client should retain records of its requirements and the Consultant’sresponses. The Client shouldalso 

retain all metadata/ other information (such ase-mail alerts) generated by SCAS relating to completion of SAQsby it and the 
Consultant. 


The cyber security requirements | e [Insert reference number for contract] 
for the Contract, and the 

Consultant’s responses, are set 

out in the Scottish Cyber 





NRSTC3 V1.0 2021 21 
NRS Procurement 


following reference number: 

Time that the Consultant e [Insert the time and date at which the Consultant 
submitted its responses to the submitted its response to the SAQ via SCAS] 

above cyber security 

requirements via SCAS: 


Details of any subsequent e [Insert details of any subsequent clarifications] 
clarifications: 








Drafting note: If SCAS is NOT used, the Client should insert applicable cyber security requirementshere. Thismay include 
extracting / making reference to relevantpartsof the Purchase Order and/or other parts of the Contract and/or the tender 
documentation. Cyber security requirements set out in this Schedule Part 2 and the Annex should not deviate from the 
requirements set out in any part of the tender documentation. 


[Section B: Cyber Implementation Plan 


Drafting note: If SCAS is used, and a Cyber Implementation Plan hasbeen submitted by the Consultantand agreed by the 
Client, the Clientshould include this section B and the text below (if not, thissection B may be deleted). Ensure that the date or 
contract phase isamended to align with the requirementscommunicatedin the Purchase Order and/or any other part of the 
Contract and/or the tender documentation and the SCAS tool. 


The Client should insert below the frequency of review of the Cyber Implementation Planwith the Consultant. Thisshould match 
any frequency indicated inthe Purchase Order and/or elsewhere inthe Contract and/or the tender documentation. 

The template Cyber Implementation Plan may be found from the following address: https://www. gov. scot/publications/cyber- 
resilience-supply-chain-guidance 





The Consultant shall followthe agreed Cyber Implementation Plan to meet the requirements of 
Section A by no later than the date(s) set out in the Cyber Implementation Plan. The parties 
shall review the Consultant’s progress on the Cyber Implementation Plan regularly every [4 
weeks]. If the Consultant fails to meet the commitments set out in the Cyber Implementation 
Plan, this shall be considered to be a material breach of the Contract for the purposes of 
Condition 14.2 (Termination). 


Drafting note: Insert orappend the agreed Cyber Implementation Plan below. Thetemplate Cyber Implementation Plan may be 


found from the following address: https://www. gov.scot/publications/cyber-resilience-supply-chain-guidance 
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